Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: edb50666ff
Branches Tags
helm-externa...
/
pkg
/
provider
/
chef
/
chef.go

chef.go 13 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package chef
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 	"net/url"
    23. 

  23. 	"strings"
    24. 

  24. 	"time"
    25. 

  25. 

  26. 	"github.com/go-chef/chef"
    27. 

  27. 	"github.com/go-logr/logr"
    28. 

  28. 	"github.com/tidwall/gjson"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 	"k8s.io/apimachinery/pkg/types"
    31. 

  31. 	ctrl "sigs.k8s.io/controller-runtime"
    32. 

  32. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    33. 

  33. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    34. 

  34. 

  35. 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    36. 

  36. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/utils"
    38. 

  38. )
    39. 

  39. 

  40. const (
    41. 

  41. 	errChefStore                             = "received invalid Chef SecretStore resource: %w"
    42. 

  42. 	errMissingStore                          = "missing store"
    43. 

  43. 	errMissingStoreSpec                      = "missing store spec"
    44. 

  44. 	errMissingProvider                       = "missing provider"
    45. 

  45. 	errMissingChefProvider                   = "missing chef provider"
    46. 

  46. 	errMissingUserName                       = "missing username"
    47. 

  47. 	errMissingServerURL                      = "missing serverurl"
    48. 

  48. 	errMissingAuth                           = "cannot initialize Chef Client: no valid authType was specified"
    49. 

  49. 	errMissingSecretKey                      = "missing Secret Key"
    50. 

  50. 	errInvalidClusterStoreMissingPKNamespace = "invalid ClusterSecretStore: missing privateKeySecretRef.Namespace"
    51. 

  51. 	errFetchK8sSecret                        = "could not fetch SecretKey Secret: %w"
    52. 

  52. 	errInvalidURL                            = "invalid serverurl: %w"
    53. 

  53. 	errChefClient                            = "unable to create chef client: %w"
    54. 

  54. 	errChefProvider                          = "missing or invalid spec: %w"
    55. 

  55. 	errUninitalizedChefProvider              = "chef provider is not initialized"
    56. 

  56. 	errNoDatabagItemFound                    = "data bag item %s not found in data bag %s"
    57. 

  57. 	errNoDatabagItemPropertyFound            = "property %s not found in data bag item"
    58. 

  58. 	errCannotListDataBagItems                = "unable to list items in data bag %s, may be given data bag doesn't exists or it is empty"
    59. 

  59. 	errUnableToConvertToJSON                 = "unable to convert databagItem into JSON"
    60. 

  60. 	errInvalidFormat                         = "invalid key format in data section. Expected value 'databagName/databagItemName'"
    61. 

  61. 	errStoreValidateFailed                   = "unable to validate provided store. Check if username, serverUrl and privateKey are correct"
    62. 

  62. 	errServerURLNoEndSlash                   = "serverurl does not end with slash(/)"
    63. 

  63. 	errInvalidDataform                       = "invalid key format in dataForm section. Expected only 'databagName'"
    64. 

  64. 	errNotImplemented                        = "not implemented"
    65. 

  65. 

  66. 	ProviderChef             = "Chef"
    67. 

  67. 	CallChefGetDataBagItem   = "GetDataBagItem"
    68. 

  68. 	CallChefListDataBagItems = "ListDataBagItems"
    69. 

  69. 	CallChefGetUser          = "GetUser"
    70. 

  70. )
    71. 

  71. 

  72. var contextTimeout = time.Second * 25
    73. 

  73. 

  74. type DatabagFetcher interface {
    75. 

  75. 	GetItem(databagName string, databagItem string) (item chef.DataBagItem, err error)
    76. 

  76. 	ListItems(name string) (data *chef.DataBagListResult, err error)
    77. 

  77. }
    78. 

  78. 

  79. type UserInterface interface {
    80. 

  80. 	Get(name string) (user chef.User, err error)
    81. 

  81. }
    82. 

  82. 

  83. type Providerchef struct {
    84. 

  84. 	clientName     string
    85. 

  85. 	databagService DatabagFetcher
    86. 

  86. 	userService    UserInterface
    87. 

  87. 	log            logr.Logger
    88. 

  88. }
    89. 

  89. 

  90. var _ v1beta1.SecretsClient = &Providerchef{}
    91. 

  91. var _ v1beta1.Provider = &Providerchef{}
    92. 

  92. 

  93. func init() {
    94. 

  94. 	v1beta1.Register(&Providerchef{}, &v1beta1.SecretStoreProvider{
    95. 

  95. 		Chef: &v1beta1.ChefProvider{},
    96. 

  96. 	})
    97. 

  97. }
    98. 

  98. 

  99. func (providerchef *Providerchef) NewClient(ctx context.Context, store v1beta1.GenericStore, kube kclient.Client, namespace string) (v1beta1.SecretsClient, error) {
    100. 

  100. 	chefProvider, err := getChefProvider(store)
    101. 

  101. 	if err != nil {
    102. 

  102. 		return nil, fmt.Errorf(errChefProvider, err)
    103. 

  103. 	}
    104. 

  104. 

  105. 	credentialsSecret := &corev1.Secret{}
    106. 

  106. 	objectKey := types.NamespacedName{
    107. 

  107. 		Name:      chefProvider.Auth.SecretRef.SecretKey.Name,
    108. 

  108. 		Namespace: namespace,
    109. 

  109. 	}
    110. 

  110. 

  111. 	if store.GetObjectKind().GroupVersionKind().Kind == v1beta1.ClusterSecretStoreKind {
    112. 

  112. 		if chefProvider.Auth.SecretRef.SecretKey.Namespace == nil {
    113. 

  113. 			return nil, errors.New(errInvalidClusterStoreMissingPKNamespace)
    114. 

  114. 		}
    115. 

  115. 		objectKey.Namespace = *chefProvider.Auth.SecretRef.SecretKey.Namespace
    116. 

  116. 	}
    117. 

  117. 

  118. 	if err := kube.Get(ctx, objectKey, credentialsSecret); err != nil {
    119. 

  119. 		return nil, fmt.Errorf(errFetchK8sSecret, err)
    120. 

  120. 	}
    121. 

  121. 

  122. 	secretKey := credentialsSecret.Data[chefProvider.Auth.SecretRef.SecretKey.Key]
    123. 

  123. 	if len(secretKey) == 0 {
    124. 

  124. 		return nil, errors.New(errMissingSecretKey)
    125. 

  125. 	}
    126. 

  126. 

  127. 	client, err := chef.NewClient(&chef.Config{
    128. 

  128. 		Name:    chefProvider.UserName,
    129. 

  129. 		Key:     string(secretKey),
    130. 

  130. 		BaseURL: chefProvider.ServerURL,
    131. 

  131. 	})
    132. 

  132. 	if err != nil {
    133. 

  133. 		return nil, fmt.Errorf(errChefClient, err)
    134. 

  134. 	}
    135. 

  135. 

  136. 	providerchef.clientName = chefProvider.UserName
    137. 

  137. 	providerchef.databagService = client.DataBags
    138. 

  138. 	providerchef.userService = client.Users
    139. 

  139. 	providerchef.log = ctrl.Log.WithName("provider").WithName("chef").WithName("secretsmanager")
    140. 

  140. 	return providerchef, nil
    141. 

  141. }
    142. 

  142. 

  143. // Close closes the client connection.
    144. 

  144. func (providerchef *Providerchef) Close(_ context.Context) error {
    145. 

  145. 	return nil
    146. 

  146. }
    147. 

  147. 

  148. // Validate checks if the client is configured correctly
    149. 

  149. // to be able to retrieve secrets from the provider.
    150. 

  150. func (providerchef *Providerchef) Validate() (v1beta1.ValidationResult, error) {
    151. 

  151. 	_, err := providerchef.userService.Get(providerchef.clientName)
    152. 

  152. 	metrics.ObserveAPICall(ProviderChef, CallChefGetUser, err)
    153. 

  153. 	if err != nil {
    154. 

  154. 		return v1beta1.ValidationResultError, errors.New(errStoreValidateFailed)
    155. 

  155. 	}
    156. 

  156. 	return v1beta1.ValidationResultReady, nil
    157. 

  157. }
    158. 

  158. 

  159. // GetAllSecrets Retrieves a map[string][]byte with the Databag names as key and the Databag's Items as secrets.
    160. 

  160. func (providerchef *Providerchef) GetAllSecrets(_ context.Context, _ v1beta1.ExternalSecretFind) (map[string][]byte, error) {
    161. 

  161. 	return nil, errors.New("dataFrom.find not suppported")
    162. 

  162. }
    163. 

  163. 

  164. // GetSecret returns a databagItem present in the databag. format example: databagName/databagItemName.
    165. 

  165. func (providerchef *Providerchef) GetSecret(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    166. 

  166. 	if utils.IsNil(providerchef.databagService) {
    167. 

  167. 		return nil, errors.New(errUninitalizedChefProvider)
    168. 

  168. 	}
    169. 

  169. 

  170. 	key := ref.Key
    171. 

  171. 	databagName := ""
    172. 

  172. 	databagItem := ""
    173. 

  173. 	nameSplitted := strings.Split(key, "/")
    174. 

  174. 	if len(nameSplitted) > 1 {
    175. 

  175. 		databagName = nameSplitted[0]
    176. 

  176. 		databagItem = nameSplitted[1]
    177. 

  177. 	}
    178. 

  178. 	providerchef.log.Info("fetching secret value", "databag Name:", databagName, "databag Item:", databagItem)
    179. 

  179. 	if databagName != "" && databagItem != "" {
    180. 

  180. 		return getSingleDatabagItemWithContext(ctx, providerchef, databagName, databagItem, ref.Property)
    181. 

  181. 	}
    182. 

  182. 

  183. 	return nil, errors.New(errInvalidFormat)
    184. 

  184. }
    185. 

  185. 

  186. func getSingleDatabagItemWithContext(ctx context.Context, providerchef *Providerchef, dataBagName, databagItemName, propertyName string) ([]byte, error) {
    187. 

  187. 	ctxWithTimeout, cancel := context.WithTimeout(ctx, contextTimeout)
    188. 

  188. 	defer cancel()
    189. 

  189. 	type result = struct {
    190. 

  190. 		values []byte
    191. 

  191. 		err    error
    192. 

  192. 	}
    193. 

  193. 	getWithTimeout := func() chan result {
    194. 

  194. 		resultChan := make(chan result, 1)
    195. 

  195. 		go func() {
    196. 

  196. 			defer close(resultChan)
    197. 

  197. 			ditem, err := providerchef.databagService.GetItem(dataBagName, databagItemName)
    198. 

  198. 			metrics.ObserveAPICall(ProviderChef, CallChefGetDataBagItem, err)
    199. 

  199. 			if err != nil {
    200. 

  200. 				resultChan <- result{err: fmt.Errorf(errNoDatabagItemFound, databagItemName, dataBagName)}
    201. 

  201. 				return
    202. 

  202. 			}
    203. 

  203. 			jsonByte, err := json.Marshal(ditem)
    204. 

  204. 			if err != nil {
    205. 

  205. 				resultChan <- result{err: errors.New(errUnableToConvertToJSON)}
    206. 

  206. 				return
    207. 

  207. 			}
    208. 

  208. 			if propertyName != "" {
    209. 

  209. 				propertyValue, err := getPropertyFromDatabagItem(jsonByte, propertyName)
    210. 

  210. 				if err != nil {
    211. 

  211. 					resultChan <- result{err: err}
    212. 

  212. 					return
    213. 

  213. 				}
    214. 

  214. 				resultChan <- result{values: propertyValue}
    215. 

  215. 			} else {
    216. 

  216. 				resultChan <- result{values: jsonByte}
    217. 

  217. 			}
    218. 

  218. 		}()
    219. 

  219. 		return resultChan
    220. 

  220. 	}
    221. 

  221. 	select {
    222. 

  222. 	case <-ctxWithTimeout.Done():
    223. 

  223. 		return nil, ctxWithTimeout.Err()
    224. 

  224. 	case r := <-getWithTimeout():
    225. 

  225. 		if r.err != nil {
    226. 

  226. 			return nil, r.err
    227. 

  227. 		}
    228. 

  228. 		return r.values, nil
    229. 

  229. 	}
    230. 

  230. }
    231. 

  231. 

  232. /*
    233. 

  233. A path is a series of keys separated by a dot.
    234. 

  234. A key may contain special wildcard characters '*' and '?'.
    235. 

  235. To access an array value use the index as the key.
    236. 

  236. To get the number of elements in an array or to access a child path, use the '#' character.
    237. 

  237. The dot and wildcard characters can be escaped with '\'.
    238. 

  238. 

  239. refer https://github.com/tidwall/gjson#:~:text=JSON%20byte%20slices.-,Path%20Syntax,-Below%20is%20a
    240. 

  240. */
    241. 

  241. func getPropertyFromDatabagItem(jsonByte []byte, propertyName string) ([]byte, error) {
    242. 

  242. 	result := gjson.GetBytes(jsonByte, propertyName)
    243. 

  243. 

  244. 	if !result.Exists() {
    245. 

  245. 		return nil, fmt.Errorf(errNoDatabagItemPropertyFound, propertyName)
    246. 

  246. 	}
    247. 

  247. 	return []byte(result.Str), nil
    248. 

  248. }
    249. 

  249. 

  250. // GetSecretMap returns multiple k/v pairs from the provider, for dataFrom.extract.key
    251. 

  251. // dataFrom.extract.key only accepts dataBagName, example : dataFrom.extract.key: myDatabag
    252. 

  252. // databagItemName or Property not expected in key.
    253. 

  253. func (providerchef *Providerchef) GetSecretMap(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    254. 

  254. 	if utils.IsNil(providerchef.databagService) {
    255. 

  255. 		return nil, errors.New(errUninitalizedChefProvider)
    256. 

  256. 	}
    257. 

  257. 	databagName := ref.Key
    258. 

  258. 

  259. 	if strings.Contains(databagName, "/") {
    260. 

  260. 		return nil, errors.New(errInvalidDataform)
    261. 

  261. 	}
    262. 

  262. 	getAllSecrets := make(map[string][]byte)
    263. 

  263. 	providerchef.log.Info("fetching all items from", "databag:", databagName)
    264. 

  264. 	dataItems, err := providerchef.databagService.ListItems(databagName)
    265. 

  265. 	metrics.ObserveAPICall(ProviderChef, CallChefListDataBagItems, err)
    266. 

  266. 	if err != nil {
    267. 

  267. 		return nil, fmt.Errorf(errCannotListDataBagItems, databagName)
    268. 

  268. 	}
    269. 

  269. 

  270. 	for dataItem := range *dataItems {
    271. 

  271. 		dItem, err := getSingleDatabagItemWithContext(ctx, providerchef, databagName, dataItem, "")
    272. 

  272. 		if err != nil {
    273. 

  273. 			return nil, fmt.Errorf(errNoDatabagItemFound, dataItem, databagName)
    274. 

  274. 		}
    275. 

  275. 		getAllSecrets[dataItem] = dItem
    276. 

  276. 	}
    277. 

  277. 	return getAllSecrets, nil
    278. 

  278. }
    279. 

  279. 

  280. // ValidateStore checks if the provided store is valid.
    281. 

  281. func (providerchef *Providerchef) ValidateStore(store v1beta1.GenericStore) (admission.Warnings, error) {
    282. 

  282. 	chefProvider, err := getChefProvider(store)
    283. 

  283. 	if err != nil {
    284. 

  284. 		return nil, fmt.Errorf(errChefStore, err)
    285. 

  285. 	}
    286. 

  286. 	// check namespace compared to kind
    287. 

  287. 	if err := utils.ValidateSecretSelector(store, chefProvider.Auth.SecretRef.SecretKey); err != nil {
    288. 

  288. 		return nil, fmt.Errorf(errChefStore, err)
    289. 

  289. 	}
    290. 

  290. 	return nil, nil
    291. 

  291. }
    292. 

  292. 

  293. // getChefProvider validates the incoming store and return the chef provider.
    294. 

  294. func getChefProvider(store v1beta1.GenericStore) (*v1beta1.ChefProvider, error) {
    295. 

  295. 	if store == nil {
    296. 

  296. 		return nil, errors.New(errMissingStore)
    297. 

  297. 	}
    298. 

  298. 	storeSpec := store.GetSpec()
    299. 

  299. 	if storeSpec == nil {
    300. 

  300. 		return nil, errors.New(errMissingStoreSpec)
    301. 

  301. 	}
    302. 

  302. 	provider := storeSpec.Provider
    303. 

  303. 	if provider == nil {
    304. 

  304. 		return nil, errors.New(errMissingProvider)
    305. 

  305. 	}
    306. 

  306. 	chefProvider := storeSpec.Provider.Chef
    307. 

  307. 	if chefProvider == nil {
    308. 

  308. 		return nil, errors.New(errMissingChefProvider)
    309. 

  309. 	}
    310. 

  310. 	if chefProvider.UserName == "" {
    311. 

  311. 		return chefProvider, errors.New(errMissingUserName)
    312. 

  312. 	}
    313. 

  313. 	if chefProvider.ServerURL == "" {
    314. 

  314. 		return chefProvider, errors.New(errMissingServerURL)
    315. 

  315. 	}
    316. 

  316. 	if !strings.HasSuffix(chefProvider.ServerURL, "/") {
    317. 

  317. 		return chefProvider, errors.New(errServerURLNoEndSlash)
    318. 

  318. 	}
    319. 

  319. 	// check valid URL
    320. 

  320. 	if _, err := url.ParseRequestURI(chefProvider.ServerURL); err != nil {
    321. 

  321. 		return chefProvider, fmt.Errorf(errInvalidURL, err)
    322. 

  322. 	}
    323. 

  323. 	if chefProvider.Auth == nil {
    324. 

  324. 		return chefProvider, errors.New(errMissingAuth)
    325. 

  325. 	}
    326. 

  326. 	if chefProvider.Auth.SecretRef.SecretKey.Key == "" {
    327. 

  327. 		return chefProvider, errors.New(errMissingSecretKey)
    328. 

  328. 	}
    329. 

  329. 

  330. 	return chefProvider, nil
    331. 

  331. }
    332. 

  332. 

  333. // Not Implemented DeleteSecret.
    334. 

  334. func (providerchef *Providerchef) DeleteSecret(_ context.Context, _ v1beta1.PushSecretRemoteRef) error {
    335. 

  335. 	return errors.New(errNotImplemented)
    336. 

  336. }
    337. 

  337. 

  338. // Not Implemented PushSecret.
    339. 

  339. func (providerchef *Providerchef) PushSecret(_ context.Context, _ *corev1.Secret, _ v1beta1.PushSecretData) error {
    340. 

  340. 	return errors.New(errNotImplemented)
    341. 

  341. }
    342. 

  342. 

  343. func (providerchef *Providerchef) SecretExists(_ context.Context, _ v1beta1.PushSecretRemoteRef) (bool, error) {
    344. 

  344. 	return false, errors.New(errNotImplemented)
    345. 

  345. }
    346. 

  346. 

  347. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    348. 

  348. func (providerchef *Providerchef) Capabilities() v1beta1.SecretStoreCapabilities {
    349. 

  349. 	return v1beta1.SecretStoreReadOnly
    350. 

  350. }
    351.